The next time a password strength meter grades your security code as “very strong,” you might want to think again.
Researchers at Concordia University in Montreal found that major Internet service providers give high marks to basic and easily breakable passwords.
{mosads}The survey of Web services such as Google, Twitter, Skype and Dropbox found “highly inconsistent” standards for what makes a password strong.
Some services allow letter-only passwords while others require three character sets — a letter, a number and a symbol. Others grade common phrases as strong passwords, raising researchers’ eyebrows.
“These weaknesses and inconsistencies may confuse users in choosing a stronger password and thus may weaken the purpose of these meters,” said Xavier de Carne de Carnavalet, a graduate student who working on the survey.
“But on the other hand, our findings may help design better meters and possibly make them an effective tool in the long run,” he said.
The company with the best password strength meter is Dropbox, the file-sharing service. It compels users to create passwords that contain no words commonly found in the dictionary.
Researchers said they contacted Web companies to encourage improvements in their systems, but none of their larger recommendations have been adopted.
The survey will be published in the journal ACM Transactions on Information and System Security.